How to provide credentials when connecting to the database from a DataStax Enterprise tool.

Analytic applications

Syntax for authorizing Spark applications.

Authorize Spark applications on a DataStax Enterprise Analytics node.

Set permissions on roles to allow Spark applications to be started, stopped, managed, and
viewed. To configure the permissions for a particular role, modify the
WORKPOOL and SUBMISSION database objects by issuing CQL
commands.

There are two kinds of authorization permissions which apply to Spark. Work pool
permissions control the ability to submit or view a Spark application to DSE. Submission
permissions control the ability to view or manage a particular application. If
authentication and authorization are enabled for the Spark
web UI, these permissions control what the authenticated user is allowed to view
and modify.

All the following instructions assume you are issuing the CQL commands as a database
superuser. In order to issue the following CQL commands as a regular database user, the user
needs to have permission to use the DSE resource manager RPC:

GRANT ALL ON REMOTE OBJECT DseResourceManager TO role;

Each DSE Analytics user needs to have permission to use the client tools RPC:

GRANT ALL ON REMOTE OBJECT DseClientTool TO role;

Spark application management permissions use the following modelled hierarchy:

ANY WORKPOOL

WORKPOOL
'datacenter_name.workpool_name'

ANY SUBMISSION

ANY SUBMISSION IN WORKPOOL
'datacenter_name.workpool_name'

SUBMISSION id IN WORKPOOL
'datacenter_name.workpool_name'

Note: You must specify a workpool name or wildcard when
specifying a datacenter. In DSE versions prior to 6.0, you could specify the
datacenter name only, but omitting the workpool name or wildcard will result in a
syntax error.

Synopsis

The following CQL command grants permission to submit a Spark application to

Any workpool in any Analytics datacenter in the
cluster:

GRANT permission_list
ON ANY WORKPOOL
TO role_name;

All workpools in a specific Analytics datacenter (use asterisk instead of a workpool
name):